Make curve25519-donna-c64 handle non-canonical points like the ref implementation.

.gitignore

@@ -77,6 +77,8 @@ test/default/scalarmult
 test/default/scalarmult2
 test/default/scalarmult5
 test/default/scalarmult6
+test/default/scalarmult7
+test/default/scalarmult8
 test/default/secretbox
 test/default/secretbox2
 test/default/secretbox7

src/libsodium/crypto_scalarmult/curve25519/donna_c64/smult_curve25519_donna_c64.c

@@ -196,7 +196,7 @@ fexpand(limb *output, const u8 *in) {
   output[1] = (*((const uint64_t *)(in+6)) >> 3) & 0x7ffffffffffff;
   output[2] = (*((const uint64_t *)(in+12)) >> 6) & 0x7ffffffffffff;
   output[3] = (*((const uint64_t *)(in+19)) >> 1) & 0x7ffffffffffff;
-  output[4] = (*((const uint64_t *)(in+25)) >> 4) & 0x7ffffffffffff;
+  output[4] = (*((const uint64_t *)(in+25)) >> 4) & 0xfffffffffffff;
 }
 
 /* Take a fully reduced polynomial form number and contract it into a

test/default/Makefile.am

@@ -27,6 +27,8 @@ EXTRA_DIST = \
 	scalarmult2.exp \
 	scalarmult5.exp \
 	scalarmult6.exp \
+	scalarmult7.exp \
+	scalarmult8.exp \
 	secretbox.exp \
 	secretbox2.exp \
 	secretbox7.exp \
@@ -69,6 +71,8 @@ DISTCLEANFILES = \
 	scalarmult2.res \
 	scalarmult5.res \
 	scalarmult6.res \
+	scalarmult7.res \
+	scalarmult8.res \
 	secretbox.res \
 	secretbox2.res \
 	secretbox7.res \
@@ -119,6 +123,8 @@ TESTS_TARGETS = \
 	scalarmult2 \
 	scalarmult5 \
 	scalarmult6 \
+	scalarmult7 \
+	scalarmult8 \
 	secretbox \
 	secretbox2 \
 	secretbox7 \
@@ -219,6 +225,12 @@ scalarmult5_LDADD         = $(TESTS_LDADD)
 scalarmult6_SOURCE        = cmptest.h scalarmult6.c
 scalarmult6_LDADD         = $(TESTS_LDADD)
 
+scalarmult7_SOURCE        = cmptest.h scalarmult7.c
+scalarmult7_LDADD         = $(TESTS_LDADD)
+
+scalarmult8_SOURCE        = cmptest.h scalarmult8.c
+scalarmult8_LDADD         = $(TESTS_LDADD)
+
 secretbox_SOURCE          = cmptest.h secretbox.c
 secretbox_LDADD           = $(TESTS_LDADD)
 

test/default/scalarmult7.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <string.h>
+#define TEST_NAME "scalarmult7"
+#include "cmptest.h"
+
+unsigned char p1[32] = {
+    0x72, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
+    0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
+    0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
+    0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0xea
+};
+
+unsigned char p2[32] = {
+    0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
+    0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
+    0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
+    0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a
+};
+
+unsigned char scalar[32];
+unsigned char out1[32];
+unsigned char out2[32];
+
+int main(void)
+{
+  int i;
+
+  scalar[0] = 1U;
+  crypto_scalarmult_curve25519(out1, scalar, p1);
+  crypto_scalarmult_curve25519(out2, scalar, p2);
+  printf("%d\n", memcmp(out1, out2, sizeof out1));
+
+  return 0;
+}

test/default/scalarmult7.exp

@@ -0,0 +1 @@
+0

test/default/scalarmult8.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <string.h>
+#define TEST_NAME "scalarmult7"
+#include "cmptest.h"
+
+unsigned char p1[32] = {
+    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+unsigned char p2[32] = {
+    0x25,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+};
+
+unsigned char scalar[32];
+unsigned char out1[32];
+unsigned char out2[32];
+
+int main(void)
+{
+  int i;
+
+  scalar[0] = 1U;
+  crypto_scalarmult_curve25519(out1, scalar, p1);
+  crypto_scalarmult_curve25519(out2, scalar, p2);
+  printf("%d\n", memcmp(out1, out2, sizeof out1));
+
+  return 0;
+}

test/default/scalarmult8.exp

@@ -0,0 +1 @@
+0